Closed sherlock-admin2 closed 7 months ago
3 comment(s) were left on this issue during the judging contest.
tsvetanovv commented:
Low
PNS commented:
User input validation: User input validation to prevent user mistakes is not considered a valid issue.
0xAadi commented:
Invalid: OOS, custom implementation tokens are OOS
MatricksDeCoder
medium
solmate SafeTransferLib does not check token contract existence
Summary
Use of Solmate SafeTransferLib may not be safe for token transfers as there may be token addresses input as expected to have code or contract but with no contract leading to either party losing tokens or in transaction
Vulnerability Detail
SafeTransferLib does not check contract existence. It is not uncommon for contracts to use the same address across different chains and users of this system may expect this. However this may not be the case as token could be deployed on chainA, but not on chainB. Parties having interacted with chainA and tokenA address may assume chainB tokenA address has tokenA contract when its empty
SafeTransferLib silently fails leading to no tokens moving from swapper or filler depending.
Impact
A swapper may specify an input token that does not exist but fillers or opposite parties may expect it exists. Swapper will get output tokens without any real transfer of input tokens going to fillers or other side parties . Unfairly gains tokens
A swapper may specify an output token that does not exist resulting in them losing as no real transfer of output token occurs from the fillers or other side of the parties. So user inputs tokens and losses by not getting expected output token whilst other side gains inputs without having to really transfer any output token
2024-02-rubicon-finance-MatricksDeCoder/gladius-contracts-internal/src/reactors/BaseGladiusReactor.sol
Code Snippet
Tool used
Manual Review
Recommendation
Consider using OpenZeppelin's Safe